Download group

15-251: Great Theoretical Ideas in Computer Science
Lecture 15
October 16, 2014
Recap: Definition of a group
G is a “group under operation ” if:
Algebra II:
Fields, Polynomials
0. [Closure] G is closed under 
i.e., a  b  G
∀ a,b∈G
1. [Associativity] Operation  is associative:
i.e., a  (b  c) = (a  b)  c ∀ a,b,c∈G
2. [Identity] There exists an element e∈G
(called the “identity element”) such that
a  e = a, e  a = a ∀ a∈G
3. [Inverse] For each a∈G there is an element a−1∈G
(called the “inverse of a”) such that
a  a−1 = e, a−1  a = e
Examples of groups
Any group of transformations is a group.
Symmetries of undirected cycle:
dihedral group
E.g., the „mattress group‟ (AKA Klein 4-group)

Id
R
F
H
Id
Id
R
F
H
R
R
Id
H
F
F
F
H
Id
R
H
H
F
R
Id
identity element is Id
R−1 = R
F−1 = F
H−1 = H
Symmetries of directed cycle:
Cyclic group
C4

Id
R1
R2
R3
Id
Id
R1
R2
R3
R1
R1
R2
R3
Id
R2
R2
R3
Id
R1
R3
R3
Id
R1
R2
In a group table, every row and every column
is a permutation of the group elements
Follows because (i) a b = a c  b = c
(ii) b a = c a  b = c
G=
{ Id, r1, r2, r3, r4,
f 1, f 2, f 3, f 4, f 5 }

Id
r1
r2
r3
r4
f1
f2
f3
f4
f5
Id
Id
r1
r2
r3
r4
f1
f2
f3
f4
f5
r1
r1
r2
r3
r4
Id
f4
f5
f1
f2
f3
r2
r2
r3
r4
Id
r1
f2
f3
f4
f5
f1
r3
r3
r4
Id
r1
r2
f5
f1
f2
f3
f4
r4
r4
Id
r1
r2
r3
f3
f4
f5
f1
f2
f1
f1
f3
f5
f2
f4
Id
r3
r1
r4
r2
f2
f2
f4
f1
f3
f5
r2
Id
r3
r1
r4
f3
f3
f5
f2
f4
f1
r4
r2
Id
r3
r1
f4
f4
f1
f3
f5
f2
r1
r4
r2
Id
r3
f5
f5
f2
f4
f1
f3
r3
r1
r4
r2
Id
Abelian groups
In a group we do NOT NECESSARILY have
a b=ba
Definition:
“a,b ∈ G commute” means ab = ba.
Definition:
A group is said to be abelian if all pairs a,b ∈ G
commute.
1
Order of a group element
Order Theorem: For every a ∈ G,
ord(a) divides |G|.
Let G be a finite group. Let a∈G.
a|G|=1 for all a∈G.
Corollary:
Definition: The order of x, denoted ord(a), is the
smallest m ≥ 1 such that am = 1.
Note that a,
a2,
a3,
…,
am−1,
am=1
all distinct.
Corollary (Euler‟s Theorem): For a  Zn* , aϕ(n) = 1
That is, if gcd(a,n)=1, then aϕ(n)  1 (mod n)
Corollary (Fermat‟s little theorem):
For prime p, if gcd(a,p)=1, then
ap-1  1 (mod p)
Cyclic groups
A finite group G of order n is cyclic if
G= {e,b,b2,…,bn-1} for some group element b
In such a case, we say b “generates” G,
or b is a “generator” of G.
Examples:
• (Zn, +)
(1 is a generator)
• C4
(Rot90 is a generator)
Non-examples: Mattress group;
any non-abelian group.
Subgroups
Q: Is (Even integers, +) a group?
A: Yes.
It is a “subgroup” of (ℤ,+)
How many generators does
(Zn, +) have?
Answer: Φ(n)
b generates Zn   a s.t. ba  1 (mod n)
(ba = b+b+…+b (a times))
Same holds for any cyclic group
with n elements
Examples
Every G has two trivial subgroups: {e}, G
Rest are called “proper” subgroups
Suppose k, 1 < k < n, divides n.
Definition: Suppose (G ,) is a group.
If H  G, and if (H,) is also a group,
then H is called a subgroup of G.
To check H is a subgroup of G, check:
1. H is closed under 
2. e  H
3. If h  H then h-1  H
•
(3rd condition follows from 1,2 if H is finite)
Q1. Is ({0, k, 2k, 3k, …, (n/k-1)k}, +n) subgroup of (Zn,+n) ?
Yes!
Q2. Is (Zk, +k) a subgroup of (Zn, +n)?
No! it doesn’t even have the same operation
Q3. Is (Zk, +n) a subgroup of (Zn, +n)?
No! Zk is not closed under +n
2
Lagrange’s Theorem
A useful corollary
Theorem: If G is a finite group, and H is a subgroup then
|H| divides |G|.
Proof similar to order theorem.
If G is a finite group and
H is a proper subgroup of G, then |H|  |G|/2
Example:
G = ({0,1}n, +) ( + : coordinate-wise addition mod 2)
Corollary (order theorem): If x  G, then ord(x) divides |G|.
Proof of Corollary:
H is a proper subgroup (check!)
So |H|  2n-1
Consider the set Tx = (x, x2, x3, …)
(i) ord(x) = |Tx|
(ii) (Tx, ) is a subgroup of (G,)
H = {(x1,x2,…,xn) : x1+x2+ … + xn = 0}
(in fact, in this case, |H| = 2n-1)
(check!)
Bezout’s identity
It was nice meeting you, groups!
Let a,b be arbitrary positive integers.
There exist integers r and s such that Follows from
Extended
Euclid Algorithm
r a + s b = gcd(a,b)
A non-algorithmic proof:
Number Theory
Interlude II
• Consider the set L of all positive integers that can
be expressed as r a + s b for some integers r,s.
• L is non-empty (eg. a  S)
• So L has a minimum element d
(well-ordering principle  principle of induction)
Claim: d = gcd(a,b)
Claim: gcd(a,b) = d (the minimum positive
integer expressible as ra+sb)
1. gcd(a,b) divides both a and b, and
hence also divides d. So d  gcd(a,b)
2. d divides both a and b, and hence d  gcd(a,b)
Let‟s show d | a.
Write a = q d + t , with 0  t < d.
t = a – q d is also expressible as a
combination r‟ a + s‟ b.
Contradicts minimality of d.
Extended Euclid & Unique Factorization
Lemma: If gcd(a,b)=1 and a | bc, then a | c.
Proof:
Let r,s be such that r a + s b =1
rac+sbc=c
a | bc and a | r a c, so a | c.

Corollary: If p is a prime and p | q1 q2 … qk,
then p must divide some qi.
If the qi‟s are also prime, then p = qi for some i.
Unique prime factorization follows from this!
3
Extended Euclid and Chinese Remaindering
Extended Euclid and Chinese Remaindering
Uniqueness of solutions modulo N
If x,y are two solutions, then ni divides x-y, for i=1,2,…k
Since the ni are coprime, this means the product
N = n1 n2 … nk divides (x-y), thus x  y (mod N)
Proof for k=2:
Take x = a1 (n2-1 mod n1) n2 + a2 (n1-1 mod n2) n1
Can compute x efficiently (by computing modular inverses)
Extended Euclid and Chinese Remaindering
Field Theory
For arbitrary k: Let mi = N/ni
Note gcd(mi,ni) = 1
ni | mj for j ≠ i
Take x = a1 (m1-1 mod n1) m1 + a2 (m2-1 mod n2) m2 +
…. + ak (mk-1 mod nk) mk
A group is a set with a single binary operation.
Find out about the wonderful world of
where two equals zero, plus is minus,
and squaring is a linear operator!
– Richard Schroeppel
Number-theoretic sets often have more than
one operation defined on them.
For example, in ℤ, we can do both addition and
multiplication.
Same in Zn (we can add and multiply modulo n)
For reals ℝ or rationals ℚ, we can also divide
(inverse operation for multiplication).
4
Field – formal definition
Fields
Informally, it‟s a place where you can
add, subtract, multiply, and divide.
Examples:
Real numbers
Rational numbers
Complex numbers
Integers mod prime
ℝ
ℚ
ℂ
Zp (Why?)
NON-examples: Integers ℤ
division??
Non-negative reals ℝ+ subtraction??
Example
Quadratic “number field”
ℚ(2) = { a + b 2 : a,b  ℚ }
Addition: (a + b 2) + (c + d 2) = (a+c) + (b+d) 2
Multiplication:
(a + b 2)  (c + d 2) = (ac+2bd) + (ad+bc) 2
Exercise: Prove above defines a field.
A field is a set F with two
binary operations,
called + and •.
Example:
= Z3 *
+ 0 1 2
(F,+) an abelian group, with
identity element called 0
0 0 1 2
1 1 2 0
2 2 0 1
(F \ {0},•) an abelian group,
identity element called 1
• 0 1 2
0 0 0 0
1 0 1 2
2 0 2 1
Distributive Law holds:
a•(b+c) = a•b + a•c
Finite fields
Some familiar infinite fields: ℚ, ℝ, ℂ (now ℚ(2))
Finite fields we know:
Zp aka
for p a prime
Is there a field with 2 elements?
Yes
Is there a field with 3 elements?
Yes
Is there a field with 4 elements?
Yes
+ 0 1 a b
• 0 1 a b
0 0 1 a b
0 0 0 0 0
1 1 0 b a
1 0 1 a b
a a b 0 1
a 0 a b 1
b b a 1 0
b 0 b 1 a
Finite fields
Evariste Galois (1811−1832)
introduced the concept of a
finite field (also known as a
Galois Field in his honor)
Is there a field with 2 elements?
Yes
Is there a field with 3 elements?
Yes
Is there a field with 4 elements?
Yes
Is there a field with 5 elements?
Yes
Is there a field with 6 elements?
No
Is there a field with 7 elements?
Yes
Is there a field with 8 elements?
Yes
Is there a field with 9 elements?
Yes
Is there a field with 10 elements?
No
5
Finite fields
Theorem (which we won‟t prove):
There is a field with q elements
if and only if q is a power of a prime.
Finite fields
Question:
If q is a prime power but not just a prime,
what are the addition and multiplication
tables of
?
Up to isomorphism, it is unique.
That is, all fields with q elements have the
same addition and multiplication tables,
after renaming elements.
This field is denoted
(also GF(q))
Answer:
It‟s a bit hard to describe.
We‟ll tell you later, but for 251‟s purposes,
you only need to know about prime q.
Polynomials
Informally, a polynomial is an expression
that looks like this:
Polynomials
6x3 − 2.3x2 + 5x + 4.1
x is a symbol, called the variable
the „numbers‟ standing next to
powers of x are called the coefficients
Polynomials
Informally, a polynomial is an expression
that looks like this:
Polynomials – formal definition
Let F be a field and let x be a variable symbol.
F[x] is the set of polynomials over F,
6x3
−
2.3x2
+ 5x + 4.1
Actually, coefficients can come from any field.
defined to be expressions of the form
cd xd + cd−1 xd−1 + ··· + c2 x2 + c1 x + c0
where each ci is in F, and cd ≠ 0.
Can allow multiple variables, but we won‟t.
Set of polynomials with variable x and
coefficients from field F is denoted F[x].
We call d the degree of the polynomial.
Also, the expression 0 is a polynomial.
(By convention, we call its degree −∞.)
6
Adding and multiplying polynomials
You can add and multiply polynomials.
Example. Here are two polynomials in
Adding and multiplying polynomials
You can add and multiply polynomials (they are a
“ring” but we‟ll skip a formal treatment of rings)
Example. Here are two polynomials in
P(x) = + 5x − 1
Q(x) = 3x3 + 10x
x2
P(x) + Q(x) = 3x3 + x2 + 15x − 1
= 3x3 + x2 + 4x − 1
= 3x3 + x2 + 4x + 10
P(x) = x2 + 5x − 1
Q(x) = 3x3 + 10x
P(x) • Q(x) = (x2 + 5x − 1)(3x3 + 10x)
= 3x5 + 15x4 + 7x3 + 50x2 − 10x
= 3x5 + 4x4 + 7x3 + 6x2 + x
Adding and multiplying polynomials
Polynomial addition is associative and commutative.
0 + P(x) = P(x) + 0 = P(x).
P(x) + (−P(x)) = 0.
So (F[x], +) is an abelian group!
Dividing polynomials?
P(x) / Q(x) is not necessarily a polynomial.
So F[x] is not quite a field.
(It‟s an “integral domain”)
Polynomial multiplication is associative and commutative.
1 • P(x) = P(x) • 1 = P(x).
Multiplication distributes over addition:
P(x) • (Q(x) + R(x)) = P(x) • Q(x) + P(x) • R(x)
If P(x) / Q(x) were always a polynomial,
then F[x] would be a field! Alas…
Dividing polynomials?
ℤ has the concept of “division with remainder”:
Same with ℤ, the integers:
it has everything except division.
Actually, there are many analogies between F[x] and ℤ.
• starting point for rich interplay between algebra, arithmetic,
and geometry in modern mathematics
“Division with remainder” for polynomials
Example:
Given a,b∈ℤ, b≠0, can write
a = q•b + r,
where r is “smaller than” b.
F[x] has the same concept:
Given A(x),B(x)∈F[x], B(x)≠0, can write
A(x) = Q(x)•B(x) + R(x),
where deg(R(x)) < deg(B(x)).
Divide 6x4+8x+1 by 2x2+4 in
3x2 +5
2x2+4
6x4+8x+1
Check:
− 6x4+x2
6x4+8x+1
= (3x2+5)(2x2+4)+(8x+3)
−x2+8x+1
(in
)
− −x2+9
8x+3
7
Integers ℤ
Polynomials F[x]
“size” = abs. value
“size” = degree
“division”:
a = qb+r, |r| < |b|
can use Euclid‟s Algorithm
to find GCDs
“division”:
A(x) = Q(x)B(x)+R(x),
deg(R) < deg(B)
Degree < 2 polynomials {0,1,x,1+x}  F2[x]
Addition and multiplication modulo 1+x+x2
can use Euclid‟s Algorithm
to find GCDs
p is “prime”:
no nontrivial divisors
ℤ mod p:
a field iff p is prime
The field with 4 elements
P(x) is “irreducible”:
no nontrivial divisors
F[x] mod P(x):
a field iff P(x) is irreducible
(with |F|deg(P) elements)
a=x
b=1+x
+ 0 1 a b
• 0 1 a b
0 0 1 a b
0 0 0 0 0
1 1 0 b a
1 0 1 a b
a a b 0 1
a 0 a b 1
b b a 1 0
b 0 b 1 a
Evaluating polynomials
Given a polynomial P(x) ∈ F[x],
P(a) means its evaluation at element a.
E.g., if P(x) = x2+3x+5 in
Enough algebraic theory.
P(6) = 62+3·6+5 = 36+18+5 = 59 = 4
Let‟s play with polynomials!
P(4) = 42+3·4+5 = 16+12+5 = 33 = 0
Definition:
Polynomial roots
Theorem:
Let P(x) ∈ F[x] have degree 1.
Then P(x) has exactly 1 root.
Proof:
Write P(x) = cx + d (where c≠0).
Then P(r) = 0
⇔ cr + d = 0
⇔
cr = −d
⇔
r = −d/c.
 is a root of P(x) if P() = 0.
Polynomial roots
Theorem:
Let P(x) ∈ F[x] have degree 2.
Then P(x) has… how many roots??
E.g.:
x2+1…
# of roots over
:
1 (namely, 1)
# of roots over
:
0
# of roots over
:
2 (namely, 2 and 3)
# of roots over
:
0
# of roots over
:
2 (namely, i and −i)
8
The single most important theorem
about polynomials over fields:
Theorem: Over a field, for all d ≥ 0, a nonzero
degree-d polynomial P has at most d roots.
Proof by induction on d∈ℕ:
Recall our
Base case: If P(x) is degree-0 then P(x) = a for some a≠0. convention:
This has 0 roots.
A nonzero degree-d
polynomial has
at most d roots.
deg(0) = - ∞
Induction:
Assume true for d ≥ 0. Let P(x) have degree d+1.
If P(x) has 0 roots: we‟re done! Else let b be a root.
Divide with remainder: P(x) = Q(x)(x−b) + R(x). (∗)
deg(R) < deg(x−b) = 1, so R(x) is a constant. Say R(x)=r.
Plug x = b into (∗): 0 = P(b) = Q(b)(b−b)+r = 0+r = r.
So P(x) = Q(x)(x−b). Now, deg(Q) = d. ∴ Q has ≤ d roots.
∴ P(x) has ≤ d+1 roots, completing the induction.
A useful corollary
Theorem:
Over a field, degree-d polynomials have at most d roots.
Theorem: Over a field F, for all d ≥ 0,
degree-d polynomials have at most d roots.
Reminder:
Corollary: Suppose a polynomial R(x)  F[x]
is such that
(i) R has degree ≤ d and
(ii) R has > d roots
Then R must be the 0 polynomial
This is only true over a field.
E.g., consider P(x) = 3x over Z6.
It has degree 1, but 3 roots: 0, 2, and 4.
I’ve used the above corollary several times in my research.
Interpolation
Interpolation
Say you‟re given a bunch of “data points”
(a2,b2)
Let pairs (a1,b1), (a2,b2), …, (ad+1,bd+1)
from a field F be given (with all ai‟s distinct).
(a3,b3)
(a5,b5)
b1
(a4,b4)
a1
Can you find a (low-degree)
polynomial which “fits the data”?
Theorem:
There is exactly one polynomial P(x)
of degree at most d such that
P(ai) = bi for all i = 1…d+1.
E.g., through 2 points there is a unique linear polynomial.
9
Interpolation
There are two things to prove.
1. There is at least one polynomial of degree
≤ d passing through all d+1 data points.
2. There is at most one polynomial of degree
≤ d passing through all d+1 data points.
Interpolation
Theorem: Let pairs (a1,b1), (a2,b2), …, (ad+1,bd+1)
from a field F be given (with all ai‟s distinct).
Then there is at most one polynomial P(x)
of degree at most d with P(ai) = bi for all i.
Proof: Suppose P(x) and Q(x) both do the job.
Let R(x) = P(x)−Q(x).
Since deg(P), deg(Q) ≤ d we must have deg(R) ≤ d.
But R(ai) = bi−bi = 0 for all i = 1…d+1.
Let‟s prove #2 first.
Thus R(x) has more roots than its degree.
∴ R(x) must be the 0 polynomial, i.e., P(x)=Q(x).
Interpolation
Interpolation
Now let‟s prove the other part,
that there is at least one polynomial.
The method for constructing the polynomial
is called Lagrange Interpolation.
Theorem:
Let pairs (a1,b1), (a2,b2), …, (ad+1,bd+1)
from a field F be given (with all ai‟s distinct).
Then there exists a polynomial P(x) of
degree at most d with P(ai) = bi for all i.
Lagrange Interpolation
a1
a2
a3
···
ad
ad+1
b1
b2
b3
···
bd
bd+1
Want P(x)
Discovered in 1779
by Edward Waring.
Rediscovered in 1795
by J.-L. Lagrange.
Lagrange Interpolation
a1
a2
a3
···
ad
ad+1
1
0
0
···
0
0
Can we do this special case?
(with degree ≤ d)
such that P(ai) = bi ∀i.
Promise: once we solve this special case,
the general case is very easy.
10
Lagrange Interpolation
a1
a2
a3
···
ad
ad+1
1
0
0
···
0
0
Lagrange Interpolation
a1
a2
a3
···
ad
ad+1
1
0
0
···
0
0
Just divide P(x)
by this number.
Idea #1: P(x) = (x−a2)(x−a3)···(x−ad+1)
Degree is d. ✔
P(a2) = P(a3) = · · · = P(ad+1) = 0. ✔
P(a1) = (a1−a2)(a1−a3)···(a1−ad+1). ??
Lagrange Interpolation
Numerator
is a deg. d
polynomial
a1
a2
a3
···
ad
ad+1
1
0
0
···
0
0
Denominator
is a nonzero
field element
Idea #2:
Lagrange Interpolation
a1
a2
a3
···
ad
ad+1
0
1
0
···
0
0
Great! But what about this data?
Call this the selector polynomial for a1.
Lagrange Interpolation
a1
a2
a3
···
ad
ad+1
0
0
0
···
0
1
Great! But what about this data?
Lagrange Interpolation
a1
a2
a3
···
ad
ad+1
b1
b2
b3
···
bd
bd+1
Great! But what about this data?
11
Lagrange Interpolation – example
Over Z11, find a polynomial P of degree ≤ 2
such that P(5) = 1, P(6) = 2, P(7) = 9.
S5(x) = 6 (x−6)(x−7)
S6(x) = -1 (x−5)(x−7)
The Chinese Remainder Theorem had a
very similar proof
Not a coincidence:
algebraically, integers & polynomials
share many common properties
S7(x) = 6 (x−5)(x−6)
P(x) = 1 S5(x) + 2 S6(x) + 9 S7(x)
P(x) = 6(x2−13x+42) − 2(x2−12x+35) + 54(x2−11x+30)
Lagrange interpolation is the exact analog of
Chinese Remainder Theorem for polynomials.
P(x) = 3x2+x+9
Recall: Interpolation
Let pairs (a1,b1), (a2,b2), …, (ad+1,bd+1)
from a field F be given (with all ai‟s distinct).
Let mi = N/ni
Theorem:
There is a unique degree d polynomial P(x)
satisfying P(ai) = bi for all i = 1…d+1.
i‟th “selector” number: Ti = (mi-1 mod ni) mi
x = a1 T1 + a2 T2 + ... + ak Tk
A linear algebra view
Lagrange interpolation
Let p(x) = p0 + p1x + p2 x2 + … + pd xd
Need to find the coefficient vector (p0,p1,…,pd)
p(a) = p0 + p1 a + …+ pd ad
= 1  p0 + a  p1 + a2 p2 + … + ad pd
Thus we need to solve:
Thus can recover coefficient vector as
The columns of M-1 are given by the coefficients
of the various “selector” polynomials we constructed
in Lagrange interpolation.
12
Group Theory:
Abelian
Order theorem
Isomorphism
Subgroups
Representing Polynomials
Let P(x)∈F[x] be a degree-d polynomial.
Number Theory:
Euler‟s theorem
Chinese Remainder theorem
Representing P(x) using d+1 field elements:
1.
List the d+1 coefficients.
2.
Give P‟s value at d+1 different elements.
Study Guide
Rep 1 to Rep 2:
Evaluate at d+1 elements
Rep 2 to Rep 1:
Lagrange Interpolation
Fields:
Definitions
Examples
Finite fields of prime order
Polynomials:
Degree-d polys have ≤ d roots.
Polynomial division with remainder
Lagrange Interpolation
13